Sysdig falco is an open source, container security monitor designed to detect anomalous activity in your applications. Falco lets you continuously monitor and detect container, application, host, and network activity... all in one place, from one source of data, with one set of customizable rules.
Think of falco as an easy to use combination of snort, ossec and strace.
A little taste of what falco can detect...
A shell is run in a container
container.id != host and proc.name = bash
Unexpected outbound Elasticsearch connection
user.name = elasticsearch and outbound and not fd.sport=9300
Write to directory holding system binaries
fd.directory in (/bin, /sbin, /usr/bin, /usr/sbin) and write
Non-authorized container namespace change
syscall.type = setns and not proc.name in (docker, sysdig)
Non-device files written in /dev (some rootkits do this)
(evt.type = creat or evt.arg.flags contains O_CREAT) and proc.name != blkid and fd.directory = /dev and fd.name != /dev/null
Process other than skype/webex tries to access camera
evt.type = open and fd.name = /dev/video0 and not proc.name in (skype, webex)
Falco was hatched from an important realization: the rich data within system
calls can be used to secure your applications, even inside containers. And as opposed to other approaches falco could do it in a simpler, unified way that is accessible to everyone.
Falco gives you instant access to a treasure trove of data buried within your system,
with one instrumentation point. Easily build rules around process spawning, file access, logs,
network activity - your entire system - and get informed immediately.
Designed for the rest of us
Too often, security tools and intrusion detection systems are powerful but
too complex for everyone to use. Falco is designed to make you productive in minutes.
Adapts to your environment
Augment the base rules to meet your security requirements. Flexible outputs
mean you can pipe Falco alerts to a broad collection of other tools and systems.
Secure your containers from the outside. Falco’s rules are docker and rkt aware,
so you can make container-specific rules.
Create rules and then test them on historical system capture files.
Know exactly what you’re going to get, before you go into production!
Falco leverages the sysdig kernel probe which has been in use for years,
across hundreds of thousands of hosts.